UNIVERSITY OF CALIFORNIA, SANTA CRUZ KEY

IT SECURITY COMPLIANCE SELF-ASSESSMENT

Information requested
INSTRUCTIONS:

1. Start here. Complete this worksheet, filling out yellow areas.

2. Continue on and complete the Assessment Worksheet, working with both System Steward and IT Service Provider representatives.
3. Return to Janine Roeth via secure means by December 1, 2008. If you have any questions, please contact itpolicy@ucsc.edu.
4. Campus Governance has advised that System Steward representatives advise Principal Officers on key issues and develop security
plans.

Description of environment being assessed:

Organization:

Contact Person:

List of systems, computers (including

home computers used for university
business), devices, applications, and
data sources:

List roles with access including roles

with update or admin privileges:

Assessment Contributors:

Description and Classification of Information

Description of Information:

Please generally describe the type of

information in these systems, including
what business functions are supported

Sensitivity requirement: Impact of

unauthorized access or disclosure

High = Restricted data

Moderate =Confidential data
Low = Non-confidential data

If Sensitivity is High, are full Social

Security Numbers stored?

If full Social Security Numbers are

stored, please explain the business
need or law that requires having
them.

If no business need or law requires

storing full Social Security Numbers,
is there a plan to redact or remove
them? If yes, please describe.

Availability requirement:

Essential to the continuing operation of

the University. Failure to function
correctly and on schedule could result in
a major failure to perform mission-
critical functions, a significant loss of
funds or information, or a significant
liability or other legal exposure.

Necessary to perform important

functions, but operations could continue
for a short period of time without those
functions while normal operations are
being restored.

Deferrable while operations continue

for an extended period of time without
those systems or services performing
correctly or on schedule.

If availability is "Essential" list key

physical locations for these systems.

Confidential: Security Sensitive – Not For Public Disclosure 2008 , 522064281.xls

UNIVERSITY OF CALIFORNIA, SANTA CRUZ
IT SECURITY COMPLIANCE SELF-ASSESSMENT

IS - 3 Policy Requirements Questions to Consider

Responses Maturity Level Action Plan
Reference to help with responses Describe any projected improvements for
See Maturity Levels tab next year

Security Program
Identification of Information Security Officer (III.A - page 4)
Designate an individual to perform the CAMPUS-LEVEL IMPLEMENTATION: The
function of an Information Director, Client Services and Security in ITS is the
designated IS-3 Information Security Officer for UCSC.
Security Officer(s) on each campus.
Security Plan (III.C - page 6)
Define/update the "security objectives" Each organization should have a security plan in place
for confidentiality, integrity, and defining their resources rating/risk
(restricted/confidential/essential) with the appropriate
availability of information resources, level of protection implemented depending on risk. This
describing the potential harm/security plan should include actions taken for mitigation
impact that failure to achieve security appropriate to risk level. Describe your security plan
objectives would have on the and any action/security plans you create resulting from
this or other security reviews.
operations, function, image/reputation,
or ability to protect personal
information.
Education & Security Awareness Training (III.E - page 24)
Conduct appropriate security awareness BACKGROUND: General and restricted data self-
training for faculty, staff, and students. paced security training materials are available online
http://its.ucsc.edu/security_awareness/ and incorporated
into campus new employee orientation and Staff
Training & Development curriculum. Campus
awareness activities occur via email and during
National Cyber Security Awareness Month (October).
Divisional security activities derive from central
communications, local operational needs, and event-
driven responses.

QUESTIONS: Describe your program to provide

security information to your workforce, including the
proper handling of information and how information
about relevant policies and laws is distributed. Is
training required for access to this system or service? If
so, does it include security information, either general
(e.g. ITS Top 10 List) or specific to the systems/service
(e.g. restricted data reminders)? Do you include
security information in response to security-related
events? More generally, are people made aware of the
campus resources described above?

Identity and Access Management

Confidential: Security Sensitive – Not For Public Disclosure Page 2 of 13 2008, 522064281.xls
UNIVERSITY OF CALIFORNIA, SANTA CRUZ
IT SECURITY COMPLIANCE SELF-ASSESSMENT

IS - 3 Policy Requirements Questions to Consider

* Control accurate identification of
authorized University community
members and that provides
authenticated access to and use of
network-based services.
* Control access by authentication and
authorization mechanisms to insure that
only identifiable individuals with
appropriate authorization gain access to
specified computing and information
resources. [Identity and Access
Management (III.C.2.a)]
Responses Maturity Level Action Plan
Reference to help with responses Describe any projected improvements for
See Maturity Levels tab next year
BACKGROUND: UCSC has an identity management
system (IdM) that is based on the CruzID.
QUESTIONS: Is authentication used for access to
these systems or services? Does this system or service
utilize the CruzID name as part of authentication? Is
the authentication system local or is it integrated with
something central, e.g. kerberos or Active Directory?
What is the mechanism for handling authorization, e.g.,
is it technically enforced within the application?

Security Program Processes

Risk Assessment, Asset Inventory & Classification (III.B - page 4)
Ÿ Inventory computing devices (servers, Include inventory and classification information on
desktop computers, laptops, mobile page 1 of this assessment. Are you taking into account
all the places where your data may be stored, including
devices, storage devices, etc.) and the desktops, reports portable devices, etc. Additionally, is
characteristics of the information/data education in place instructing people to minimize
stored on or transmitted from/to those storage and transmission of restricted data, such as by
computing devices. Inventory deleting, redacting or de-identifying restricted data
whenever possible, including from storage devices? Are
applications and the characteristics of people aware of Office of Record and retention
the data stored by or transmitted from/to requirements (when it’s OK to delete something and
those applications. when it’s not? where authoritative copies live?)
Ÿ Classify each computing device and
application based on the characteristics
of the associated stored data or data
transmitted from/to the computing
device or application.

Risk Assessment (III.B)

Ÿ Understand and document the risks in
the event of failures that may cause loss
of confidentiality, integrity, or
availability of information resources.
Ÿ Identify the level of security necessary
for the protection of information
resources.
Include inventory and classification information on
page 1 of the assessment. This assessment worksheet
identifies the controls in place and the maturity level of
those controls. Review security requirements based on
sensitivity from the matrix:
http://its.ucsc.edu/security/policies/protection_matrix.ph
p.
QUESTIONS: What are your gaps in required security
controls (based on this assessment)? Identify if the risk
is low, medium or high. Determine cost-effective
actions, and document an action plan to address areas of
high risk.

[Workforce] Administrative (III.C.1 - page 6)

Confidential: Security Sensitive – Not For Public Disclosure Page 3 of 13 2008, 522064281.xls
UNIVERSITY OF CALIFORNIA, SANTA CRUZ
IT SECURITY COMPLIANCE SELF-ASSESSMENT
IS - 3 Policy Requirements
* Control how faculty, staff, students,
and other affiliates are granted access
privileges to computing and information
resources and how those privileges for
individuals are altered or revoked.
Review privileged account access.
* Conduct appropriate background
checks for personnel handling
information classified as "sensitive" or
"to be protected."
* Take appropriate
personnel/disciplinary action(s) for
violations of policy/procedures.
Applications Systems Management
Confidential: Security Sensitive – Not For Public Disclosure
Questions to Consider
Responses Maturity Level Action Plan
Reference to help with responses Describe any projected improvements for
See Maturity Levels tab next year
BACKGROUND: The Support Center handles account
management related to CruzID and the Identity
Management system (IdM). This includes creation,
modification and termination of accounts. Validation of
the CruzID is primarily through IdM, which is fed from
authoritative systems.
QUESTIONS:
Is there a formal authorization process for obtaining
access to systems or data? Who is responsible for
granting authorization? Please describe the
authorization process. How about for obtaining
privileged/admin access at any level, e.g. root access,
superuser access, privileged application or database
access, etc.? Does the Support Center have a role in
account management for your system or service?
Are procedures in place to ensure prompt modification
or termination of access or authorization levels in
response to user separation or change in role? Including
for people with privileged access? Are privileged
accounts and individuals with access to these accounts
reviewed periodically for appropriateness? Describe the
review process, including frequency.
BACKGROUND: Campus HR procedures exist for
identifying positions requiring background checks. ITS
requires all staff to have background checks as standard
part of recruitment process.
QUESTIONS: Are required background checks for
employees in your organization implemented promptly
upon hire or reclassification? Do you know whether
other departments do the same for people who have
access to your system?
BACKGROUND: Campus procedures for reporting
violations of law or policy/procedures include but aren't
limited to the Whistleblower, Title IX, Ombudsman,
Human Resources, Labor Relations, and Student
Judicial Offices, campus police, and reporting to a
supervisor.
QUESTION: Is management aware of campus
procedures for reporting violations of law or
policy/procedures? Are individuals? Does the
department have any local procedures in addition to
campus procedures? Are violations and responses
reported and documented?
Page 4 of 13 2008, 522064281.xls
UNIVERSITY OF CALIFORNIA, SANTA CRUZ
IT SECURITY COMPLIANCE SELF-ASSESSMENT
IS - 3 Policy Requirements
* Control application systems
development/maintenance through
conformance with specifications in IS-
10, local standards, procedures,
guidelines, and conventions; conduct
application vulnerability assessments as
appropriate. [System & Applications
Software Development (III.C.2.c.v)]
* Control production application
software modification through change
management procedures for major
systems. - [Change Management
(III.C.2.e)]
Risk Mitigation Measures (III.C.3.a - page 20)
Protect resources in the event of
emergencies.
Incident Response Planning & Notification Procedures (III.D - page 21)
Confidential: Security Sensitive – Not For Public Disclosure
Questions to Consider
Responses Maturity Level Action Plan
Reference to help with responses Describe any projected improvements for
See Maturity Levels tab next year
QUESTIONS: Describe the process used to
develop/deploy new application(s) from inception
(requirements, function, funding), to development
(coding standards, application security,
authentication/authorization), and deployment
(workflow, management approval, alpha/beta testing
and pilot, release). Does application development and
maintenance conform to the specifications of UC BFB
IS-10, Systems Development and Maintenance
Standards? Does application development take into
account business decisions about how restricted or
confidential information should be collected, stored,
shared, and managed? Are application vulnerability
assessments performed? Is appropriate separation of
duties in place? Is data in test, training and development
systems protected according to its classification,
including storage, transmission, bug reports, and bug
reporting systems?
BACKGROUND: ITS has adopted divisional change
management process for outage communications and
maintenance window guidelines.
QUESTIONS: Explain procedures used to manage and
document changes. Include any method in place to
provide history of changes. Are change management
procedures in place where restricted data is involved
and for essential systems? Are changes tested and
backout plans developed? Is documentation updated
based on changes?
BACKGROUND: If the system or service is in the ITS
Data Center, this information is provided by the ITS
Core Tech Operations group. The Data Center has
regular data backups and mitigations for infrastructure
failures, including power, fire, flooding.
QUESTIONS: Where is this system or service housed,
including backups? If not in the ITS Data Center, or for
any portions not in the Data Center, describe what is in
place for the prevention, detection, early warning of,
and recovery from emergency conditions. For example,
are there locks, is there UPS or generator back-up
power, is there fire suppression? Are procedures in
place to protect restricted data during emergencies when
focus may be elsewhere? Are there regular backups of
critical/essential data and are they securely stored in an
off-site location?
Page 5 of 13 2008, 522064281.xls
UNIVERSITY OF CALIFORNIA, SANTA CRUZ
IT SECURITY COMPLIANCE SELF-ASSESSMENT
IS - 3 Policy Requirements
Maintain incident response and
notification processes.
Third Party Agreements (III.F - page
28)
Ensure that contracts with external
entities include data security language. the Appendix DS for all vendor contracts using a PO,
Security Controls
Access Controls (III.C.2.b - page 11):
Control passwords and sessions to
minimize risk of unauthorized access
to restricted computing and
information resources
Confidential: Security Sensitive – Not For Public Disclosure
Questions to Consider
Responses Maturity Level Action Plan
Reference to help with responses Describe any projected improvements for
See Maturity Levels tab next year
BACKGROUND: The campus has an implementation
plan for protection of electronic restricted data
(http://its.ucsc.edu/security/policies/ucsc_breach_guidel
ine.php) and data security incidents are to be reported to
help@ucsc.edu
QUESTIONS: Is everyone aware of campus procedures
for reporting and responding to potential security
incidents? Do additional departmental procedures exist,
and if so, are people aware of them?
BACKGROUND: Purchasing has adopted the use of
with additional HIPAA BAA or PCI-DSS language for
new agreements when they are informed it is needed.
QUESTIONS: Did Purchasing or Business Contracts
review/execute all contracts and POs with vendors that
have access to the systems or data? Was additional
language, e.g. for HIPAA or PCI, required? Were any
of these contracts or POs executed before 2006? If so,
they may need to be reviewed for appropriate language.
Is a non-UCSC party managing a web site for you that
collects sensitive data, such as SSN, credit card info, or
other PII or restricted data? If so, was this approved
through the appropriate campus compliance team? (If
you’re not sure, contact the IT Policy Office at
itpolicy@ucsc.edu)
Page 6 of 13 2008, 522064281.xls
UNIVERSITY OF CALIFORNIA, SANTA CRUZ
IT SECURITY COMPLIANCE SELF-ASSESSMENT
IS - 3 Policy Requirements
* Control passwords through password
management conventions and
vulnerability assessment procedures. -
[Passwords and other authentication
credentials (III.C.2.b.i)]
* Control access to working sessions
through session timeout mechanisms. -
[Session protection (III.C.2.b.ii)]
* Control privileged account access
through defined procedures for
providing privileged accounts and
reviewing activity under privileged
account. - [Privileged access
(III.C.2.b.iii)]
Systems and Application Security (III.C.2.c - page 14)
* Control systems-level access through BACKGROUND: Central systems and applications are
review of personnel assignments for
appropriate classification, security
responsibilities, and separation of
duties. [Systems Personnel (III.C.2.c.i)] provide application and system support accurately
* Backup systems supporting essential
activities; encrypt data where required
to secure backup data. - [Back Up and
Retention (III.C.2.c.ii)]
Confidential: Security Sensitive – Not For Public Disclosure
Questions to Consider
Responses Maturity Level Action Plan
Reference to help with responses Describe any projected improvements for
See Maturity Levels tab next year
BACKGROUND: UCSC has a password policy. The
associated standards are available at
http://its.ucsc.edu/security/policies/password.php
QUESTIONS: Do passwords comply with UCSC
password strength and security requirements? Is the
password policy technically enforced by your system or
service? If not, describe any limitations that prevent this
and additional mitigations to compensate. Are
passwords tested for strength? Are there any expiration
or password aging policies? Do individuals have unique
access credentials? How about vendors/contractors?
QUESTIONS: Is there a session timeout for the
application, including for administrators? Are users
encouraged to implement screensaver locks at the
desktop? Are desktops configured to automatically lock
or go to screensaver after a period of inactivity?
QUESTIONS: See "[Workforce] Administrative,"
above for process for obtaining privileged
access/accounts. Is privileged access and activity
logged? Are logs reviewed periodically? Are they
reviewed in response to potential security events? Do
individuals have unique access credentials for
privileged access?
supported by ITS employees with IT-related
classifications.
QUESTIONS: Do job descriptions for individuals who
reflect their duties and access to restricted data or
systems? Are individuals who provide IT-related
services trained and knowledgeable in these areas of
responsibility? Do defined procedures exist for
reviewing personnel assignments for appropriate
classification, security responsibilities, and separation
of duties?
BACKGROUND: If the system or service is in the ITS
Data Center, this information is provided by the ITS
Core Tech Operations group. The Data Center has
regular data backups.
QUESTIONS: Are backups containing restricted data
stored securely and/or encrypted? For all systems,
including those in the Data Center, is recovery of data
tested? Is data integrity/user functionality
ensured/verified upon recovery or restore? Is a retention
and disposition schedule in place for backups? Also see
"Risk Mitigation Measures," above.
Page 7 of 13 2008, 522064281.xls
UNIVERSITY OF CALIFORNIA, SANTA CRUZ
IT SECURITY COMPLIANCE SELF-ASSESSMENT

IS - 3 Policy Requirements Questions to Consider

* Protect computing and information
resources from malicious software (e.g.,
viruses, worms, Trojans, spyware, etc.)
- [System Protection (III.C.2.c.iii)]
* Maintain currency of operating
systems and application systems
software. - [Patch Management
(III.C.2.c.iv)]
Audit Logs (III.C.2.f - page 17)
Monitor for attempted/actual
unauthorized access through review of
access and audit logs.
Encryption (III.C.2.g - page 18)
Control risk of unauthorized access to
"sensitive"/"restricted" data by use of
encryption.
Responses Maturity Level Action Plan
Reference to help with responses Describe any projected improvements for
See Maturity Levels tab next year
BACKGROUND: For systems in the ITS Data Center,
firewalls provide a level of protection against malicious
software.
QUESTIONS: Is anti-virus and anti-spyware installed,
running, and logging? Are they current and up-to-date?
How is this verified? For systems not in the ITS Data
Center, is a firewall in place?
QUESTIONS: Describe the patching process, including
frequency, whether it is a manual or automatic process,
and verification. Is there a testing or backout
procedure? What is the process for severe or critical
updates?
QUESTIONS: Are available logs enabled at the OS,
application/database, and workstation level? Including
logs of privileged access and activities? Are procedures
in place to proactively review logs or is review event-
driven, such as in the case of problems or potential
security incidents?
QUESTIONS: Describe encryption methods or
mitigating controls: Are passwords or other
authentication tokens encrypted in transit and in
storage? Is restricted data encrypted during
transmission, including printing? Is stored restricted
data encrypted? How about database tables or columns
with restricted data elements? Is restricted data on
backups, portable devices and media encrypted or
otherwise protected? Are encryption keys secure? Are
encryption keys managed to ensure availability of
essential data?

Physical/Environmental Controls (III.C.3 - page 19)

Ÿ Control access to facilities by BACKGROUND: If the system or service is in the ITS
appropriate measures - [Physical Access Data Center, this information is provided by the ITS
Core Tech Operations group. Access to the Data Center
Controls (III.C.3.b)] is regulated by the Data Center Access Policy as well as
Ÿ Track movement of devices - physical security controls (i.e. locks). Movement of
[Tracking Reassignment or Movement equipment is tracked; rack inventory is updated as
of Devices & needed, reviewed quarterly. Devices are stored
securely pending secure destruction (ITS adopted a
Stock Inventories (III.C.3.c)] secure media destruction service in 2007-08); use of
Ÿ Remove data before equipment is re- locksafes/fireproof vaults for media.
deployed, recycled, or disposed. -
[Disposition of Equipment (III.C.3.d)] QUESTIONS: Where is this system or service housed,
including backups? If not in the ITS Data Center, or for
any portions not in the Data Center,
* Describe the physical security controls protecting
access to the facility, systems and data, including
backups and portable devices.
* Are facility access policies in place, including
procedures to verify the identity of individuals and
tracking of entry and exit, including for visitors and
guests?
* Are all critical and restricted systems locked down?
* Is there a unit inventory of all computers and storage
devices with restricted or critical data, including
portable devices (data sticks, CDs, PDAs, etc.) and
media? Is there frequent movement of equipment? Is
Confidential: Security Sensitive – Not For Public Disclosure Page 8 of 13 2008, 522064281.xls
UNIVERSITY OF CALIFORNIA, SANTA CRUZ
IT SECURITY COMPLIANCE SELF-ASSESSMENT

IS - 3 Policy Requirements Questions to Consider

* Control physical security of portable
media. - [Portable & Media Devices
(III.C.3.e)]
Responses Maturity Level Action Plan
Reference to help with responses Describe any projected improvements for
See Maturity Levels tab next year
QUESTIONS: Are portable devices and media used? If
so, are procedures in place to ensure their physical
security? Are laptop computers locked down? Is
restricted data on portable devices and media
encrypted? Is there a practice of reviewing and deleting
data from portable devices when no longer needed?

Network Security (III.C.2.d - page 17)

/ Minimum Requirements for
Network Connectivity (IV)
Control network and computing
resources exposure to risk through
minimum network connectivity
requirements, firewalls and Intrusion
Detection System/Intrusion Prevention
System (IDS/IPS) as appropriate:

* Control access to networked devices See "[Workforce] Administrative" and See "[Workforce] Administrative" and See "[Workforce] Administrative" and "Access See "[Workforce] Administrative" and
through authentication measures (e.g. "Access Controls," above "Access Controls," above Controls," above "Access Controls," above
user name/password or better). -
[Access Control Measures (IV.A.)]

* Protect passwords or other See "Encryption," above See "Encryption," above See "Encryption," above See "Encryption," above
authentication tokens while in transit
through the use of encryption. -
[Encrypted Authentication (IV.B.)]
* Control potential security loopholes See "Systems and Application Security," See "Systems and Application Security," above See "Systems and Application Security," above See "Systems and Application Security,"
by maintaining current operating above above
system, application software, and
firmware code on all devices connected
to the network. - [Patch Management
Practices (IV.C.)]
* Protect networked devices against See "Systems and Application Security," See "Systems and Application Security," above See "Systems and Application Security," above See "Systems and Application Security,"
malicious software. - [Malicious above above
Software Protection (IV.D.)]
* Control the use of networked devices QUESTIONS: Are services not necessary for operation
for intended purposes by eliminating disabled, turned off or removed, including ports, relays,
and default accounts?
unnecessary services from devices. -
[Removal of Unnecessary Services
(IV.E.)]
* Control network communications QUESTIONS: Are host-based firewalls enabled and
to/from networked devices through properly configured, where available? What about
network firewalls and Intrusion Detection
host-based firewall software, as System/Intrusion Prevention System?
available. - [Host-based Firewall
Software (IV.F.)]

Confidential: Security Sensitive – Not For Public Disclosure Page 9 of 13 2008, 522064281.xls
UNIVERSITY OF CALIFORNIA, SANTA CRUZ
IT SECURITY COMPLIANCE SELF-ASSESSMENT

IS - 3 Policy Requirements Questions to Consider

Responses Maturity Level Action Plan
Reference to help with responses Describe any projected improvements for
See Maturity Levels tab next year
* Prevent networked devices from QUESTIONS: Do you run any email relays? Are they
becoming unauthorized email relays. - properly configured? Can this be demonstrated?
[Authenticated Email Relay (IV.G.)]
* Control access to network proxy QUESTIONS: Do you run any network proxy servers?
servers through authentication Is access controlled through authentication? Can this be
demonstrated?
[Authenticated Network Proxy Servers
(IV.H.)]
* Control access to restricted or See "Access Controls," above See "Access Controls," above See "Access Controls," above See "Access Controls," above
essential services by limiting
unattended/inactive sessions through
session timeouts. - [Session Timeout
(IV.I)]

Special Categories of Data

HIPAA Security Rule / UCSC Practices If ePHI is present, is the department represented on the
for HIPAA Security Rule Compliance campus HIPAA Security Rule Compliance Team? Are
the HIPAA Practices implemented?
http://its.ucsc.edu/security/docs/hipaa_practices.pdf

Payment Card Industry Data Security If credit card information is stored, processed or
Standard (PCI DSS) transmitted, has the campus PCI Compliance Team
been informed? Is the credit card environment PCI
compliant? http://its.ucsc.edu/security/policies/pci.php

Confidential: Security Sensitive – Not For Public Disclosure Page 10 of 13 2008, 522064281.xls
Maturity Levels
0 Not performed: Complete lack of any recognizable processes. The institution has not even recognized that there is an issue
addressed.

1 Performed Informally:
There is evidence that the institution has recognized that the issues exist and need to be addressed. There are, however, no stan
processes; instead, there are ad hoc approaches that tend to be applied on an individual or case-by-case basis. The overall appr
management is disorganized.

2 Planned and Tracked —Processes have developed to the stage where similar procedures are followed by different people
undertaking the same task. There is no formal training or communication of standard procedures, and responsibility is left to th
individual. There is a high degree of reliance on the knowledge of individuals and, therefore, errors are likely.

3 Well Defined and Communicated —Procedures have been standardized and documented, and communicated through train
mandated that these processes should be followed; however, it is unlikely that deviations will be detected. The procedures them
are not sophisticated but are the formalization of existing practices.

4 Managed and Measurable—Management monitors and measures compliance with procedures and takes action where proc
appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and to
used in a limited or fragmented way.

5 Continuously Improved —Processes have been refined to a level of good practice, based on the results of continuous impr
and maturity modeling with other enterprises. IT is used in an integrated way to automate the workflow, providing tools to imp
quality and effectiveness, making the enterprise quick to adapt.
Impact Availability SSN

High Essential Yes

Moderate Necessary No
Low Deferrable